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Abstract. Stuttering bisimulation is a well-known behavioral equivalence that 
preserves CTL-X, namely CTL without the next-time operator X. Correspond- 
ingly, the stuttering simulation preorder induces a coarser behavioral equivalence 
that preserves the existential fragment ECTL-{X, G}, namely ECTL without 
the next- time X and globally G operators. While stuttering bisimulation equiv- 
alence can be computed by the well-known Groote and Vaandrager's [1990] al- 
gorithm, to the best of our knowledge, no algorithm for computing the stuttering 
simulation preorder and equivalence is available. This paper presents such an al- 
gorithm for finite state systems. 



1 Introduction 

The Problem. Lamport's criticism |8| of the next-time operator X in CTL/CTL* 
arouse the interest in studying temporal logics like CTL-X/CTL*-X, obtained from 
CTL/CTL* by removing the next-time operator, and related notions of behavioral stut- 
te ring-based equivalences II 114161 . We are interested here in divergence blind stuttering 
simulation and bisimulation, that we call, respectively, stuttering simulation and bisim- 
ulation for short. We focus here on systems specified as Kripke structures (KSs), but 
analogous considerations hold for labeled transition systems (LTSs). Let % = (£, I) 
be a KS where (£, ->) is a transition system and £ is a state labeling function. A relation 
R C E x S is a stuttering simulation on % when for any s,t G S such that (s, t) € R: 
(1) s and t have the same labeling by £ and (2) if s->s' then t-**tf for some t' in such a 
way that the following diagram holds: 



where a dotted line between two states means that they are related by R. The intuition is 
that t is allowed to simulate a transition s-»s' possibly through some initial "stuttering" 
transitions (r-transitions in case of LTSs). R is called a stuttering bisimulation when 
it is symmetric. It turns out that the largest stuttering simulation i? s tsim and bisimula- 
tion i? s tbis relations exist: i? s tsim is a preorder called the stuttering simulation preorder 
while i?stt>is is an equivalence relation called the stuttering bisimulation equivalence. 
Moreover, the preorder i? s tsim induces by symmetric reduction the stuttering simula- 
tion equivalence i? s tsimcq = ^stsim H ^C^im' The partition of S corresponding to the 
equivalence i? sts i roeq is denoted by P sts im- 



De Nicola and Vaandrager |4| showed that for finite KSs and for an interpretation of 
universal/existential path quantifiers over all the, possibly finite, prefixes, the stuttering 
bisimulation equivalence coincides with the state equivalence induced by the language 
CTL-X (this also holds for CTLT-X). This is not true with the standard interpretation 
of path quantifiers over infinite paths, since this requires a divergence sensitive notion 
of stuttering (see the details in [4|). Groote and Vaandrager [6| designed a well-known 
algorithm that computes the stuttering bisimulation equivalence i? s tbis m 0(|^7| |^|)- 
time and (9(|^|)-space. 

Clearly, stuttering simulation equivalence is coarser than stuttering bisimulation, 
i.e. -Rstbis (= -Rstsimcq- As far as language preservation is concerned, it turns out that 
stuttering simulation equivalence coincides with the state equivalence induced by the 
language ECTL-{X, G}, namely the existiential fragment of CTL without next-time 
and globally operators X and G. Thus, on the one hand, stuttering simulation equiva- 
lence still preserves a significantly expressive fragment of CTL and, on the other hand, 
it may provide a significantly better state space reduction than simulation equivalence, 
and this has been shown to be useful in abstract model checking 191 101 . 

State of the Art. To the best of our knowledge, there exists no algorithm for computing 
stuttering simulation equivalence or, more in general, the stuttering simulation preorder. 
There is instead an algorithm by Bulychev et al. [2] for checking stuttering simulation, 
namely, this procedure checks whether a given relation R C £ x £ is a stuttering 
simulation. This algorithm formalizes the problem of checking stuttering simulation 
as a two players game in a straightforward way and then exploits Etessami et al.'s J5) 
algorithm for solving such a game. The authors claim that this provides an algorithm 
for checking stuttering simulation on finite KSs that runs in 0(|-^| 2 ) time and space. 

Main Contributions. In this paper we present an algorithm for computing simul- 
taneously both the simulation preorder i? s tsim and stuttering simulation equivalence 
^?stsimcq for finite KSs. This procedure is incrementally designed in two steps. We first 
put forward a basic procedure for computing the stuttering simulation preorder that re- 
lies directly on the notion of stuttering simulation. For any state x E £, StSim(x) C £ 
represents the set of states that are candidate to stuttering simulate x so that a family of 
sets {StSim(x)}2; e ^ is maintained. A pair of states (x, y) G £ x £ is called a refiner 
for StSim when x^y and there exists z E StSim(a;) that cannot stuttering simulate x 
w.r.t. y, i.e., z £ pos(StSim(:r), StSim(?/)) where pos(StSim(j:), StSim(y)) is the set 
of all the states in StSim(x) that may reach a state in StSim(y) through a path of states 
in StSim(x). Hence, any such z can be correctly removed from StSim(a;). Actually, 
it turns out that one such refiner (x, y) allows to refine StSim to StSim' as follows: if 
5" = pos(StSim(x), StSim(y)) then 



Thus, our basic algorithm consists in initializing {StSim(a;)} Ke £ as {y E £ \ l(y) = 
£(x)} X £z and then iteratively refining StSim until a refiner exists. This provides an 
explicit stuttering simulation algorithm, meaning that this procedure requires that for 
any explicit state x G £, StSim(x) is explicitly represented as a set of states. 
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Inspired by techniques used in algorithms that compute standard simulation pre- 
orders and equivalences (cf. Henzinger et al. |7| and Ranzato and Tapparo |11]) and 
in abstract interpretation-based algorithms for computing strongly preserving abstract 
models 1121 . our stuttering simulation algorithm SSA is obtained by the above basic 
procedure by exploiting the following two main ideas. 

(1) The above explicit algorithm is made "symbolic" by representing the family of sets 
of states {StSim(a;)} a ; e ^ as a family of sets of blocks of a partition P of the state 
space £. More precisely, we maintain a partition P of £ together with a binary 
relation < C P x P — a so-called partition-relation pair — so that: (i) two states 
x and y in the same block of P are candidate to be stuttering simulation equivalent 
and (ii) if B and C are two blocks of P and B < C then any state in C is candidate 
to stuttering simulate each state in B. Therefore, here, for any x G £, if B x G P is 
the block of P that contains x then StSim(x) = StSim(B a; ) = U{C G P \ B x < 
C}. 

(2) In this setting, a refiner of the current partition-relation (P, <j) is a pair of blocks 
(B,C) G P x P such that B^C and StSim(P) £ pos(StSim(P), StSim(C)), 
where is the existential transition relation between blocks of P, i.e., B-^C iff 
there exist x G B and y G C such that x->y. We devise an efficient way for finding 
a refiner of the current partition-relation pair that allows us to check whether a given 
preorder R is a stuttering simulation in 0(|P||-»|) time and 0(1171 \P\ log \£\) 
space, where P is the partition corresponding to the equivalence R n R~ l . Hence, 
this algorithm for checking stuttering simulation already significantly improves 
both in time and space Bulychev et al.'s [2| procedure. 

Our algorithm SSA iteratively refines the current partition-relation pair (P, <} by 
first splitting the partition P and then by pruning the relation < until a fixpoint is 
reached. Hence, SSA outputs a partition-relation pair (P, <) where P — P s tsim and 
y stuttering simulates x iff P(x) < P(y), where P{x) and P(y) are the blocks of P 
that contain, respectively, x and y. As far as complexity is concerned, it turns out that 
SSA runs in O ( | P stslm | 2 ( | -» | + | P st sim | h 3 1 ) ) time and O ( | £ | |P 8tBim | log | £\ ) space. It 
is worth remarking that stuttering simulation yields a rather coarse equivalence so that 

1 Pstsim | should be in general much less than the size \£\ of the concrete state space. 

2 Background 

Notation. If R C £ x E is any relation and x G S then R(x) = {x' G i7 (x, x') G 
i?}. Let us recall that R is called a preorder when it is reflexive and transitive. If / 
is a function defined on p(S) and x G £ then we often write /(x) to mean /({x}). 
A partition P of a set £ is a set of nonempty subsets of £, called blocks, that are 
pairwise disjoint and whose union gives £. Part(Z') denotes the set of partitions of £. 
If P G Part(X') and s G £ then P(s) denotes the block of P that contains s. Part(X') 
is endowed with the following standard partial order Pi < Pi, i.e. P^ is coarser 
than Pi, iff VP G P 1 3B' eP 2 .BC B 1 . For a given nonempty subset S C £ called 
splitter, we denote by Split (P, S) the partition obtained from P by replacing each block 
B G P with the nonempty sets B n S and B \ S, where we also allow no splitting, 
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namely Split (P, S) = P (this happens exactly when S is a union of some blocks of P). 
If P G P' = Split (P, S) then we denote by parent P (P) (or simply by parent (P)) the 
unique block in P that contains B (this may possibly be B itself). 

A transition system (Z, -*) consists of a set Z of states and a transition relation 
-» C Z x Z. The predecessor transformer pre : p{£) — + p(Z) is defined as usual: 
pre(F) = {s G £ \ 3t G Y. s^t}. If Si, S 2 C Z then Si-> 3 S 2 iff there exist Sj G 
Si and s 2 G S2 such that si^S2- Given a set 4P of atomic propositions (of some 
specification language), a Kripke structure (KS) % = (Z, ->■,£) over AP consists of 
a transition system (Z, -+) together with a state labeling function t : £ — > p(^4P). 
P^ G Part(Z) denotes the state partition induced by I, namely, Pi = {{s 1 G Z | £(s) = 

Stuttering Simulation. Let % — (£,->■,£) be a KS. A relation PC £ x 17 is a 
divergence blind stuttering simulation on % if for any s, t G £ such that (s, t) G P: 

(1) = £{t); 

(2) If s-»s' then there exist to, tf. G £, with fc > 0, such that: (i) t = t; (ii) for all 
i G [0, k), U^t i+ i and (s, ^) G P; (iii) (s', t k ) e R. 

Observe that condition (2) allows the case k — and this boils down to requiring that 
(s' , t) G P. With a slight abuse of terminology, P is called simply a stuttering simula- 
tion. If (s, f) G P then we say that £ stuttering simulates s and we denote this by s < t. 
If P is a symmetric relation then it is called a stuttering bisimulation. The empty rela- 
tion is a stuttering simulation and stuttering simulations are closed under union so that 
the largest stuttering simulation relation exists. It turns out that the largest simulation is 
a preorder relation called stuttering simulation p reorder (on %) and denoted by Pstsim- 
Thus, for any s,t G £, s < t iff (s,i) G Pstsim- Stuttering simulation equivalence 
Pstsimcq is the symmetric reduction of Pstsim, namely P sts imcq — Pstsim n R~ t l im , so 
that (s, t) G Pstsimcq iff s < t and t < s. P s tsim G Part(Z) denotes the partition 
corresponding to the equivalence Pstsimcq and is called stuttering simulation partition. 
Following Groote and Vaandrager |6|, pos : p(Z) x p(Z)->p(Z) is defined as: 

pos(S*,T) 4 

{s G S | 3k > 0.3so, Sfe. so = s & Vi G [0, k). Si G S, Si->Si+i & s k G T} 

so that a relation P C Z x £ is a stuttering simulation iff for any x, y G Z, P(x) C 
P^(a;) and if x^y then R(x) C pos(P(x), R(y)). 

It turns out [4| that P s tsim is the coarsest partition preserved by the temporal lan- 
guage ECTL-{X, G}. More precisely, ECTL-{X, G} is inductively defined as follows: 

(/)::= p | -.p | 0i A 4> 2 | 0i V 4> 2 | EU(0i,0 2 ) 

and its semantics is standard: [p] = {s G Z | p G ^(s)} and [EU^i,^)] — [^2] U 
pos([(/?i], [^2])- The coarsest partition preserved by ECTL-{X, G} is the state parti- 
tion corresponding to the following equivalence ~ between states: for any s,t G Z, 

s ~ t iff V0 G ECTL-{X, G}. s G [0] of £ [0] . 
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BasicSSA(Pattition P e ) { 
forall x G E do StSim(x) := P e (x); 

while (3a;, y € £ such that x^y & StSim(a;) g pos(StSim(a;), StSim(j/))) do 
S := pos(StSim(x), StSim(y)); 
_ forall weSdo StSim(w) := StSim(w) n S; 



3 Basic Algorithm 

For each state x G E, the algorithm BasicSSA in Figure Q]computes the stuttering sim- 
ulator set StSim(a;) C E, i.e., the set of states that stuttering simulate x. The basic idea 
is that StSim(x) contains states that are candidate for stuttering simulating x. Thus, the 
input partition of BasicSSA is taken as the partition Pi determined by the labeling I 
so that StSim(x) is initialized with Pt(x), i.e., with all the states that have the same 
labeling of x. Following the definition of stuttering simulation, a refiner is a pair of 
states (x, y) such that x-*y and StSim(x) % pos(StSim(:r), StSim(y)). In fact, if z € 
StSim(x) n pos(StSim(a;), StSim(y)) then z cannot stuttering simulate x and there- 
fore can be correctly removed from StSim(x). Conversely, if no such refiner exists then 
for any x. y £ S such that x^y we have that StSim(x) C pos(StSim(a;), StSim(y)) 
so that any z £ StSim(x) actually stuttering simulates x. Hence, BasicSSA consists 
in iteratively refining {StSim(ir)} xe .£ as long as a refiner exists, where, given a re- 
finer (x, y), the refinement of StSim by means of S — pos(StSim(x), StSim(y)) is as 
follows: 



It turns out that this procedure correctly computes the stuttering simulation preorder. 

Theorem 3.1. BasicSSA is correct, i.e., i/StSim is the output of BasicSSA on input 
Pi then for any x, y £ S, y G StSim(x) x < y. 

4 Partition-Relation Pairs 

A partition-relation pair (P, <j), PR for short, is given by a partition P G Part(X') 
together with a binary relation < C P x P between blocks of P. We write B <] C 
when B < C and B ^ C and (B',C) < {B,C) when B' < B and C < C. 
Our stuttering simulation algorithm relies on the idea of symbolizing the BasicSSA 
procedure in order to maintain a PR (P, <) in place of the family of explicit sets of 
states {StSim(s)} se ^. As a first step, S = {StSim(s)} sG x' induces a partition P that 
corresponds to the following equivalence 



} 



Fig. 1. Basic Stuttering Simulation Algorithm BasicSSA. 




s\ ~§ S2 iff Vs G S. si G StSim(s) 0«2 £ StSim(s). 
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Hence, the intuition is that if P(si) = P(s 2 ) then si and s 2 are "currently" candidates 
to be stuttering simulation equivalent. Accordingly, a relation < on P encodes stutter- 
ing simulation as follows: if s g E then StSim(s) = {t E S\ P(s) < P(t)}. Here, 
the intuition is that if B <J C then any state t E C is "currently" candidate to stuttering 
simulate any state s E B. Equivalently, the following invariant property is maintained: 
if s < t then P(s) < P(t). Thus, a PR {P, <) will represent the current approxima- 
tion of the stuttering simulation preorder and in particular P will represent the current 
approximation of stuttering simulation equivalence. 

More precisely, a PR CP = (P, <) induces the following map [iy : p(E) — > p(^): 
for any X g £>(i?), 



Note that, for any s e S, fi v (s) = /iy(P(s)) = {t e £ P(s) < P(*)}, that is, 
/^3>(s) represents the set of states that are currently candidates to stuttering simulate s. 
A PR CP = (P, <} is therefore defined to be a stuttering simulation for a KS X when the 
relation {(s,t) E E x E \ s E E, t g jUj>(s)} is a stuttering simulation on %. 

Recall that in BasicSSA a pair of states (s,t) g £ x £ is a refiner for StSim 
when s^i and StSim(s) % pos(StSim(s), StSim(t)). Accordingly, a pair of blocks 
(B,C) g PxP is called arefiner for CP when P^ 3 C and ^y(P) £ pos(^y(P), /Uy(C)) 
Thus, by defining 



Theorem 4.1. CP = (P, <) is a stuttering simulation iff Refiner (CP) = and for any 

s e E, imp(s) C P/(a). 

4.1 A Symbolic Algorithm 

The algorithm BasicSSA is therefore made symbolic as follows: 

(1) (P e ,id) is the input PR, where (B, C) g id <=> B = C; 

(2) Find (B, C) g Refiner(CP); if Refiner (CP) = exit; 

(3) Compute S = pos(fiy(B), ^y(C)); 

(4) CP' := (P', <'), where P' = Split (P, S) and <' is modified in such a way that for 
anys g E, w(P'(s)) = »?(P(s)); 

(5) CP" := (P 1 , <"), where <' is modified to <" in such a way that for any B g P': 



Aty(X) 4 U{C E P\3B E P.BDX ^ 0, B <C}. 



Rcfincr(CP) 4 {(P,C) £ P 2 | P^ 3 C, ^(B) £ pos( M3 >(P), M3 >(C))} 



the following characterization holds: 




(6) CP := CP" and go to (2). 
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l SSA(PR (P, Rel)) { 


2 Initialize^); 


3 while ((B, C) := FmdRefinerQ) / (null, null) do 


4 


list(State) X := Image((P, Rel), B), Y := Image({P, Rel),C); 


5 


list(State) 5" := pos(X, Y); 


6 


SplittingProcedure({P, Rel), S); 


7 

8 } 


Refine((P,Rel),S); 


Fig. 2. Stuttering Simulation Algorithm SSA. 



This leads to the symbolic algorithm SSA described in Figure [2] where: the in- 
put PR (P, Rel) at line 1 is (P^,id) of point (1); point (2) corresponds to the call 
FindRefiner() at line 3; point (3) corresponds to lines 4-5; point (4) corresponds to 
the call SplittingProcedure((P, Rel), S) at line 6; point (5) corresponds to the call 
Refine((P, Rel), S) at line 7. The following graphical example shows how points (4) 
and (5) refine a PR ({[0, 1], [2, 3], [4, 5], [6, 7], [8, 9]}, <) w.r.t. the set S = {3, 4, 5, 8}, 
where if B <\ C then B is drawed below C while if B < C and C <\ B then B and C 
are at same height and connected by a double line. 
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8|9 1 


4 5 



(5) 





The correctness of this symbolic algorithm goes as follows. 

Theorem 4.2 (Correctness). SSA is a correct implementation of BasicSSA, i.e., if 
StSim is the output function of BasicSSA on input Pi and CP = (P, Rel) is the output 
PR of SSA on input (Pi, id) then for any ieZ", StSim(x) = 

The next step consists in devising an efficient implementation of SSA. 



5 Bottom States 

While it is not too hard to devise an efficient implementation of lines 2 and 4-7 of the 
SSA algorithm, it is instead not straightforward to find a refiner in an efficient way. In 
Groote and Vaandrager's [6] algorithm for computing stuttering bisimulations the key 
point for efficiently finding a refiner in their setting is the notion of bottom state. Given 
a set of states S C U, a bottom state of S is a state s E S that cannot go inside S, 
i.e., s can only go outside S (note that s may also have no outgoing transition). For any 
S C S, we therefore define: 

Bottom(S) 4 S \ pre(S). 
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Bottom states allow to efficiently find refiners in KSs that do not contain cycles of 
states all having the same labeling. Following Groote and Vaandrager (6|, a transition 
s^t is called inert for a partition P G Part(Z') when P(s) = P(t). Clearly, if a 
set of states S in a KS % is strongly connected via inert transitions for the labeling 
partition Pg then all the states in S are stuttering simulation equivalent, i.e., if s,s' G S 
then P s tsim(s) = -fstsim( s ')- Thus, each strongly connected component (s.c.c.) S with 
respect to inert transitions for Pg, called inert s.c.c, can be collapsed to one single 
"symbolic state". In particular, if {s} is one such inert s.c.c, i.e. s->-s, then this collapse 
simply removes the transition s^s. It is important to remark that a standard depth-first 
search algorithm by Tarjan [3], running in 0(|I7| + |->|) time, allows us to find and 
then collapse all the inert s.c.c.'s in the input KS. We can thus assume w.l.o.g. that the 
KS % does not contain inert s.c.c.'s. The following characterization of refiners therefore 
holds. 

Lemma 5.1. Assume that % does not contain inert s.c.c.'s. Let CP = (P, <) be a PR 
such that for any B G P, )iy(B) C Pi(B). Consider (B,C) G P X P such that 
B^C. Then, (B,C) G Refiner(CP) iff Bottomry (P)) % ^p(C) U pre(^(C)). 

If B G P is any block then we define as local bottom states of B all the bottom 
states of (i'p(B) that belong to B, namely 

localBottom(P) = Bottom^ (P)) n B. 

Also, we define C G P as a bottom block for B when C contains at least a bottom state 
of fJ.y(B) and B <C, that is: 

bottomBlock(B) = {C eP\B <C, Cn Bottomry (£)) ^ 0}. 

Local bottoms and bottom blocks characterize refiners for stuttering simulation as fol- 
lows: 

Theorem 5.2. Assume that % does not contain inert s.c.c.'s. Let CP = (P, <} be a PR 
such that < is a preorder and for any B G P, fif(B) C P^(P). Consider (B, C) G 
P x P such that S-» 3 C and for any (D, E) such that D^E and (B, C) < (D, E), 
(D, E) Refiner(CP). Then, (B, C) G Refiner(CP) iff at least one of the following two 
conditions holds: 

(i) C i\B and localBottom(P) % pre(^y(C)); 

(ii) There exists D G bottomBlock(P) such that C ^ D and D /> 3 /iy(C). 

We will show that this characterization provides the basis for an algorithm that 
efficiently finds refiners. Hence, this procedure also checks whether a given preorder R 
is a stuttering simulation. This can be done in 0(|P||->|) time and 0(|^| |P| log \ S\) 
space, where P is the partition corresponding to the equivalence R n R^ 1 . Thus, this 
algorithm for checking stuttering simulation already significantly improves Bulychev 
et al.'s procedure that runs in (9(|^| 2 ) time and space. 
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6 Implementation 



6.1 Data Structures 

SSA is implemented by exploiting the following data structures. 

(i) A state s is represented by a record that contains the list s.pre of its predecessors 
pre(s) and a pointer s. block to the block P(s) that contains s. The state space 27 is 
represented as a doubly linked list of states. 

(ii) The states of any block B of the current partition P are consecutive in the list 27, 
so that B is represented by two pointers begin and end: the first state of B in 27 and 
the successor of the last state of B in 27, i.e., B = [B .begin, £>.end[. Moreover, B 
contains a pointer B. intersection to a block whose meaning is as follows: after a 
call to Split (P, S) for splitting P w.r.t. a set of states S, if 0^BC\SCB then 
B. intersection points to a block that represents B fl S, otherwise B. intersection 
= null. Finally, the fields localBottoms and bottomBlocks for a block B represent, 
resp., the local bottom states of B and the bottom blocks of B. The current partition 
P is stored as a doubly linked list of blocks. 

(iii) The current relation < on P is stored as a resizable \P\ x |P| boolean matrix 
Ret Rel(B, C) = tt iff B < C. Recall (3] Section 17.4] that insert operations 
in a resizable array (whose capacity is doubled as needed) take amortized constant 
time, and a resizable matrix (or table) can be implemented as a resizable array of 
resizable arrays. The boolean matrix Rel is resized by adding a new entry to Rel, 
namely a new row and a new column, for any block B that is split into two new 
blocks B \ S and B n S. 

(iv) SSA additionally stores and maintains a resizable integer table Count and a resiz- 
able integer matrix BCount. Count is indexed over 27 and P and has the following 
meaning: Count(s, C) = \{(s, t) | D < C,t € D, s->t}\ while BCount is indexed 
over P x P and has the following meaning: BCount(£>, C) = X) s esCount(s, C). 
The table Count allows to implement the test s pre(//g>(C)) in constant time 
as Count(s, C) — 0, while BCount allows to implement in constant time the test 
B ^H9(C) as BCount(B, C) = 0. 



6.2 FindRefiner Algorithm 

The algorithm FindRefiner () in Figure |3]is an implementation of the characterization 
of refiners provided by Theorem l5.2l In particular, lines 8-10 implement condition (i) 
of Theorem |5.2| and lines 11-12 implement condition (ii). The correctness of this imple- 
mentation depends on the following key point. Given a pair of blocks (B, C) G P x P 
such that B-> 3 C, in order to ensure the equivalence: (B, C) £ Refiner(CP) iff (i) V (ii), 
Theorem l5.2l requires as hypothesis the following condition: 

V(D, E) eP x P. D^E k [B, C) < (D, E) (D, E) <£ Reflner(3') (*) 

In order to ensure this condition (*), we guarantee throughout the execution of SSA 
that the list P of blocks is stored in reverse topological ordering w.r.t. <, so that if 
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1 Precondition: The list P is stored in reverse topological ordering wrt Rel 

2 (Block, Block) FindRefinerQ { 
matrix (bool) Refiner; 

forall B G P do forall C G P do Refiner(B,C) := maybe; 
forall C G P do 

forall B G P such that B^ 3 C do 
if (Refiner(B,C) = maybe) then 
iS(Rel(C,B) =ff)then 

forall s G B.localBottoms do 
]_ if (Count(s, C) = 0) then return (B, C)\ 



forall D G B.bottomBlocks do 
]_ if (i?eZ(C, D) = ff & BCount(D, C) = 0) then return (B, C); 

forall £ G P do 

[_ if (.ReZ(.E, C) = tt) then Refiner(B,£) := ff; 



15 return (null, null); 

16 } 



Fig. 3. FindRefinerQ algorithm. 



B <\ B' then B' precedes B in the list P. The reverse topological ordering of P initially 
holds because the input PR is the DAG (Pg, id) which is trivially topologically ordered 
(whatever the ordering of P# is). More in general, for a generic input PR (P, Rel) to 
SSA the function InitializeQ in Figure [7] in Appendix lAl achieves this reverse topo- 
logical ordering by a standard algorithm [3] Section 22.4] that runs in 0(|P| 2 ) time 
(cf. the call Topologicals ort(P 1 Rel) in the InitializeQ function). Then, the reverse 
topological ordering of P is always maintained throughout the execution of SSA. In 
fact, if the partition P is split w.r.t. a set S and a block B generates two new descen- 
dant blocks B n S and B \ S then our Splitting Procedure in Figure [5] modifies the 
ordering of the list P as follows: B is replaced in P by inserting B n S immediately 
followed by B \ S. This guarantees that at the exit of Refine((P, Rel), S) at line 7 of 
SSA the list P is still in reverse topological ordering w.r.t. Rel. This is a consequence 
of the fact that at the exit of Refine((P, Rel), S), by point (5) in Section |4~T1 we have 
that ^(PMei)(B n S) = n { p, Re i){B) n S, i.e., M(p,fl e i>( 5 n 5) n (B \ 5) = so 
that B n S ^ B \ S. The reverse topological ordering of P w.r.t. < ensures that if 
(B,C) < {B',C) then (B,C) is scanned by FmdRefiner after the pair (B',C). 
Since FindRefinerQ exits as soon as a refiner is found, we have that (B 1 , C') cannot 
be a refiner, so that condition (*) holds for (B, C). 

When FindRefinerQ determines that a pair of blocks (B, C), with B-> 3 C, is not a 
refiner, it stores this information in a local boolean matrix Refiner that is indexed over 
P x P and initialized to maybe. Thus, the meaning of the matrix Refiner is as follows: 
if Refiner(B, C) = ff then (B, C) £ Renner(3'). If (B, C) (£ Renner(3') then both 
(i) and (ii) do not hold, therefore FindRefinerQ executes the for-loop at lines 13-14 
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1 Precondition: TS(S,^,P e ) & Vx,y G S. Pi(x) — Pe(y) 

2 list(State) pos(list<State) S, list(State> T) { 

3 list(State) R := 0; 

4 forall s G S do markl(s); 

5 forall t G T do 
forall s G pre(t) such that markedl(s) do 

j_ mark2(s); 7?.append(s); 



9 

10 



forall y G S backward such that marked2(y) do 

forall x G pre(y) such that markedl (x) & unmarked2(a;) do 
I mark2(:r); _R.append(a;); 



11 forall a; G S do unmarkl(x); forall x G -Rdo unmark2(x-); 

12 return R; 

13 } 

Fig. 4. Computation of pos. 



so that any (B, E) with E < C is marked as Refiner(_B, £J) = ff. This is correct be- 
cause if (B, C) ^ Refmer(T) and (S, E) < (B, C) then (S, E) £ Refmer(T): in 
fact, by Lemma I5T1 Bottom(/X3>(B)) C /iy(C) U pre(/xy(C)), and since E < C 
implies, because < is transitive, /iy(C) C fiy(E), we have that Bottom(/iy(_B)) C 
/ij>(-B) U pre(/i3>(J5)), so that, by LemmaO (S, J5) £ Refmer(IP). The for-loop at 
lines 13-14 is therefore an optimization of Theorem 15.21 since it determines that some 
pairs of blocks are not a refiner without resorting to the condition A -i(ii) of The- 
orem 15.21 This optimization and the related matrix Refiner turn out to be crucial for 
obtaining the overall time complexity of SSA. 



6.3 Computing pos 

Given two lists of states S and T, we want to compute the set of states that belong to 
pos(S l , T). This can be done by traversing once the edges of the transition relation -> 
provided that the list E of states satisfies the following property: 

For all x, y £ if x precedes y in the list S and £(x) = £(y) then y fix. 

We denote this property by TS(U, Pi). Hence, this is a topological ordering of 2J 
w.r.t. the transition relation -» that is local to each block of the labeling partition Pi. As 
described in Section [5] as an initial pre-processing step of 5'<S'^4, we find and collapse 
inert s.s.c.'s. After this pre-processing step, £ is then topologically ordered locally to 
each block of Pi in 0(\£\ + |->|) time in order to establish initially TS{£, P e ). We 
will see in Section l674l that while the ordering of the list £ of states changes across the 
execution of SSA, the property TS(I7, Pe) is always maintained invariant. 

The computation of pos(5 l , T) is done by the algorithm in Figure |4] The result 
R consists of all the states in S that are marked2. We assume that all the states in S 
have the same labeling by I: this is clearly true when the function pos is called from 
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1 list(Block) Split (list(Block) P, list(State) S) { 

2 list (Block) split; 

3 forall x G S do 

4 if (a;. block. intersection = null) then 

5 Block B :— new Block; 

6 ir.block.intersection := B; 

7 split.append(:r. block); 

move x in the list E from x. block at the end of B; 

if (x.block = 0) then a.block := copy(B); x-.block.intersection := null; 

to forall B G split do 

11 if (B. intersection = null) then split.remove(B); delete B; 

12 else insert B. intersection in P in front of B; 

13 return split; 

14 } 

15 void SplittingProcedure(PR {P, Rel), list(State) S) { 

16 list(Block) split := Split(P, S); 

17 if (split / 0) then 

18 
19 
20 
21 
22 



resize Rel; I I update Rel 

forall B eP&o forall C G split do fleZ(C.intersection, B) := Rd(C, B)\ 
forall B G split do forall C G P do Rel{C, ^intersection) := Rel(C, B); 
Update(); II update Count, BCount, localBottoms, bottomBlocks 
forall B G P do B. intersection := null; 



23 } 

Fig. 5. Splitting Procedure. 



the algorithm SSA. The for-loop at lines 5-7 makes the states in S R pre(T) marked2. 
Then, the for-loop at lines 8-10 scans backward the list of states S and when a marked2 
state y is encountered then all the states in S (~l pre(y) are marked2. It is clear that the 
property TS(E, Pg) guarantees that this procedure does not miss states that are in 

po B (5,r). 

6.4 Splitting Procedure 

SSA calls SplittingProcedure((P, Rel) , S) at line 6 with the precondition TS(Z\ Pi) 
and needs to maintain this invariant property at the exit (as discussed in Section [63l this 
is crucial for computing pos). This function must modify the current PR T = (P, Rel) 
to J" = (P',Rel') as follows: 

(A) P' is the partition obtained by splitting P w.r.t. the splitter S; 

(B) Rel is modified to Rel' in such a way that for any x <E E, /xy (P'(x)) = uy(P(x)). 

Recall that the states of a block B of P are consecutive in the list S, so that B is 
represented as B = [B .begin, B.end[. An implementation of the splitting operation 
Split(P, S) that only scans the states in S, i.e. that takes 0(\S\) time, is quite easy and 
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standard (see e.g. 11611 II ). However, this operation affects the ordering of the states in 
the list E because states are moved from old blocks to newly generated blocks. It turns 
out that this splitting operation can be implemented in a careful way that preserves 
the invariant property TS(i7, Pi). The idea is rather simple. Observe that the list of 
states S = pos(fij>(X), fiy(Y)) can be (and actually is) built as a sublist of E so that 
the following property holds: If x precedes y in S and Pg.[x) — Pi(y) then y fix. The 
following picture shows the idea of our implementation of Split (P, S), where states 
within filled circles determine the splitter set S. 

Bi B2 B3 



© O 


©00000 


© © 


Split (P, S) 





©00000 


© © 



BiOSBixS B 2 nS B 2 ^S B 3 nSB 3 sS 



The property TS(Z ,/ , ->, Pi) still holds for the modified list of states E' . In fact, from 
the above picture observe that it is enough to check that: if B has been split into B n S 
and B \ S by preserving the relative orders of the states in E then if x G B n S and 
y G B \ S then y fix. This is true because if y-*x and x € S = pos(/j,y(X), /j,y(Y)) 
then, since x and y are in the same block of P and /iy (X) is a union of some blocks of 
P, by definition of pos we would also have that y G S, which is a contradiction. 

The functions in Figure|5]sketch a pseudo-code that implements the above described 
splitting operation (the UpdateQ function is in Figure [8] in Appendix [At. The above 
point (B), i.e., the modification of Rel to Rel' so that for any x G E, /ip/ (P'(x)) = 
fiy(P(x)) is straightforward and is implemented at lines 18-20 of SplittingProcedureQ. 



6.5 Refine Function 

SSA calls Refine((P, Rel), S) at line 7 with the precondition that S is a union of blocks 
of the current partition P. The function Refine ( (P, Rel) , S) in Figure[6]implements the 
point (5) of Section |4~T1 This function must modify the current PR 7 — (P, Rel) to 
7' = (P, Rel') by pruning the relation Rel in such a way that for any B G P: 

(u ,Uy{B)r\S ifBCS 

^{B)-{ MB) ifB ns = 

This is done by the RefineQ function at lines 5-7 by reducing the relation Rel to Rel' 
as follows: if B, C G P and Rel{B, C) = tt then Rel'(B, C) = ff iff B C S and 
C Pi S = 0, while the rest of the code updates the data structures Count, BCount and 
bottomBlocks accordingly (note that localBottoms do not need to be updated). 



6.6 Auxiliary Functions 

It is straightforward to implement the remaining functions Initialize^ and ImageQ 
(these are given in Figure|7]in AppendixlAl. It is just worth remarking that in Initialize (), 
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void Refine (PR (P,Rel), list(State) S) { 
list {Block} L := 0; 

forall s 6 S such that unmarked(s. block) do mark(s. block); L.append(s.block); 
forall Beido 
forall C e P do 

if (Rel(B, C) = tt & unmarked(C)) then 
Rel(B,C) := ff; 
forall y £ Cdo 

I forall a; £ pre(y) do Count(a;, B) — ; BCount(:r. block, B) — ; 

if (C € B.bottomBlocks) then B.bottomBlocks.erase(C*); 
forall y £ Cdo 

forall x S pre(y) do 

if (x.block ^ B&l Rel(B, z.block) = tt & Count(x, B) = 0) 
then 

mark2(:r. block); 
if unmarked2(x.block) then 
|^ B .bottomB locks. append(x. block); 



17 forall B e P do unmark(B); unmark2(B); 

18 } 



Fig. 6. Refine function. 



Topologicals 'ort (£, ->, P) establishes initially the property TS(£,-*,Pe), while the 
call Topologicals ort (P : Rel) provides an initial reverse topological order of P w.r.t. 
Rel when the input partial ordering Rel is not the identity relation id. 

6.7 Complexity 

Time and space bounds for SSA are as follows. In the following statement we assume, 
as usual in model checking, that the transition relation -> is total, i.e., for any s G £ 
there exists t € £ such that s->t, so that the inequalities \£\ < |->| and |P s tsim| < H 3 | 
hold and this allows us to simplify the expression of the time bound. 

Theorem 6.1 (Complexity). SSA runs in 0(|-P s tsim| 2 (M + \P s tsim\\^ 3 \))-time and 
0(\£\\P stsim \\og\£\)-space. 

6.8 Adapting SSA for LTSs 

The algorithms SSA computes the stuttering simulation preorder on KSs, but it can 
be modified to work over LTSs by following the adaptation to LTSs of Groote and 
Vaandrager's algorithm [6| for KSs. Due to lack of space the details are here omitted. 
We just mention that for any action a G Act, we have a parametric pos Q operator for 
any action a G Act so that the notions of splitting and refinement of the current PR are 
parameterized w.r.t. the action a. 
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7 Conclusion 



We presented an algorithm, called SSA, for computing the stuttering simulation pre- 
order and equivalence on a Kripke structure or labeled transition system. To the best of 
our knowledge, this is the first algorithm for computing this behavioural preorder. The 
only available algorithm related to stuttering simulation is a procedure by Bulychev et 
al. (2'| that checks whether a given relation is a stuttering simulation. Our procedure 
SSA includes an algorithm for checking whether a given relation is a stuttering simula- 
tion that significantly improves Bulychev et al.'s one both in time and in space. 
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of Padova under the Projects "Formal methods for specifying and verifying behavioural 
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A Appendix 



Lemma A.l. At the beginning of any iteration of BasicSSA, StSim is a preorder. 

Proof. Initially, StSim is reflexive and transitive because {StSim(x)}a; 6 i; is a partition. 
Let us denote by StSinij the value of StSim at the beginning of the z-th iteration of 
BasicSSA. Then, 



StSim,; + i(a;) 



StSim, (x) n S ifxeS 
StSim^x) if x £ S 



Then, by inductive hypothesis, StSim is clearly reflexive. Let us turn on transitivity. 
Consider z G StSimi+i(y) C StSim^y) and y G StSinii + i(a;) C StSim^a;). Then, 
by inductive hypothesis, z G StSimi(x). If x g" S then StSim;(iz;) = StSimi+i(a;) and 
therefore z G StSimi + i(a;). If, instead, x G S then StSiim + i(x) = StSimi(x) n S 
and therefore y G S. Hence, StSirm + i(y) = StSim.; (y) n S so that z G S, i.e. z G 
StSim^x) flS = StSim i+1 (x). □ 



Proof of Lemma UM The output relation StSim is a stuttering simulation so that StSim C 
-Rstsim- Thus, we need to prove that StSim Z> i? st sim- Let us denote by StSim; the value 
of StSim at the beginning of the i-th iteration of BasicSSA. We show by induction on 
i that i? st sim C StSinij. 

(i = 0) i?stsim ^ StSim because StSim (a;) = Pe(x). 

(i + 1) Let us prove that for any w, i? s tsim(w) C StSim i+ i (w), where 

„ „. , , f StSimi(w) n 5* if w G S 
btSim i+ i(w;) = <^ „ „. ; : . f , „ 
y ' [StSim^wj ltwgb 

S = pos(StSim. i (a;), StSim^y)), x^y and StSim^x) % S. 

If w ^ S then StSiirij + i(uj) = StSim^w) 3 i? stsim (ui). If, instead, w G S then 
StSim i+1 (u>) = StSinij(w) n S. By inductive hypothesis, StSim^w) D R s t s im{w), 
therefore it is enough to show that S = pos(StSim i (a;), StSim^y)) I) -RstsimfV)- 
Consider v G R s tsim(w)- Since w G pos(StSim i (cc), StSimj(j/)), there exists a path 
w = uo->ui-> . . . u n -i^u n such that for any j G [0, n), Uj G StSim,(x) and u n G 
StSimi(y). It turns out that any transition Uj^uj + i can be lifted to a path 







where w ] k G R s tsim(uj) when k G [0, rrij) and w-> n . G R sts im{uj+i), and in particular 
Wq = v. In fact, consider the first transition w = uq^u\. Since v G R s tsim(w), there 
° such that v = WQ-mj°->...->w° where wf G -Rstsim(wo) for any I G 



0) ■■■i w m SUW11 L,,aL u ~ w Q~' w l~'---~' w m 

[0, mo) and G i? s tsim(ui). Thus, by a simple induction, any transition uj^Uj+i 
can be lifted to one such path. Moreover, by induction, for any j G [0, n), i? s tsim(wj) C 
StSim^iij), while R s tsim(u n ) f= StSimi(w n ). By Lemma lATl StSiim is transitive so 
that from {u , . . . ,it„_i} C StSim^x) and u n G StSim^y) we obtain that for any 
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j 6 [0, n), StSimj(uj-) C StSinii(x) and StSinii(u n ) C StSinii(y). The concatenation 
of the above paths therefore provides a path 



u>o->iui- 



such that for any / G [0,rt), wi G StSinii(a;) and w n G StSimi(y). Consequently, 
v G pos(StSinii(x), StSimi(y)) and this concludes the proof. □ 



Proof of Theorem \4.1\ (=>) If fj,y is a stuttering simulation and t G /J,y(s) then i(t) = 
l(s), i.e., t G Pg{s). Moreover, if P-> 3 C then there exists s G B and s' G C such 
that s^s', so that /iy(s) C pos(/ij>(s), /iy(s')). Since A*y(s) = /-*ip(P) and /iy(s') = 
jtxy(C), we have that ^a>(P) C pos(^3>(P), fiy(C)). Hence, Refiner(J') = 0. 
(<=) Assume that s->s' and i G /iy(s). Therefore, £ G Pe(s), i.e., ^(t) = ^(s). Fur- 
thermore, P(s)^ 3 P(s'), so that from Refiner(J') = we obtain that /xj>(P(s)) C 
pos(ny(P(s)), fj,y(P(s'))). Since fj, v (P(s)) = /ia>( s ) and fj, v (P(s')) = Mr(s'). we 
have that /iy(s) C pos(/xy(s), /ij>(s')), and therefore /xj> is a stuttering simulation. □ 



Proof of Theorem \4. 21 This is a consequence of the following two facts. Let StSim be 
the current relation in BasicSSA at the end of some iteration and let T = (P, <) be the 
corresponding PR. 

(i) We have that (x,y) G S 2 is a refiner in BasicSSA iff (P(x),P(y)) G P 2 is a 
refiner in SiSA This is true because for any a;, y G 17, we have that StSim(x) $Z 
pos(StSim(x), StSim(y)) iff ity{P{x)) £ pos(^(P(a;)), ^(P(y))). 

(ii) Let (x, y) G 17 2 be a refiner in BasicSSA and S* = pos(StSim(x), StSim(y)) = 
pos(/xg.(P(a;)),/iy(P(a;))). Let P' = S^(P, S). Consider 

cstdimV^ - / StSim (^) n 5 if G S* 
btbim W _ \ StSim(z) ifz£S 

, (m _fMB)ns ifBCS 
^ { >~\^{B) ifPnS = 

where i£i and P G P'. Then, for any x G 17, StSim'(x) = /^(P'fc)). □ 



Proof of Lemma [3771 Let ^ = /x T and (P, C) G P 2 such that P^ 3 C. 

Assume that /i(P) C pos(/i(P), /i(C)) and consider G Bottom(/i(P)). Then, 
6 G pos(/x(S), /u(C)), so that there exist 2:0, ajfe G fi(B), with fc > 0, such 
that b = xq, for all i G [0,fc), Xi G /i(P) and a:^ — >a;,+i, and Xk G /Lt(C). Since 
b G Bottom(/i(P)), we have that b g" pre(/i(S)) and therefore necessarily either 
k = or k = 1. If fc = then 6 G /i(P) n /u(C'). If instead k = 1 then 6 G pre( / u(C)). 
Thus, 6 G ju(C) U prc(/i(C)). 

Conversely, assume that Bottom(/i(P)) C /i(C) U pre(/i(C)) and consider x G 
fJ,(B). If a; G Bottom(/i(P)) then clearly a; G pos(/i(P), /x((7)). If instead a; g" 
Bottom(^(P)) then x G pre(/i(P)), so that there exists y G /x(P) sucri that x^y. 
Again, if y G Bottom(^(P)) then y G pos(^(P), /i(C)) and therefore we have that 
x G pos(^(P), n(C)). If y ^ Bottom(^i(P)) then we can go on with this construction. 
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Since S is finite, in this way we would obtain a cycle of inert transitions inside fi(B) C 
Pg(B), namely a contradiction. Thus, it must exist some z € Bottom(^i(i?)) such that 
x->*z, and therefore x € pos(/i(_B), n{C)). Hence, /i(-B) C pos(/i(_B), /i(C)). □ 



Proof of Theorem 15.21 Let us first observe that since < is a preorder, and therefore 
transitive, if B < C then ^y(C) C fiy>(B). 

(=>) Let us assume that (£?, C) ^ Refiner(J'). If C < B then both conditions (i) and 
(ii) trivially do not hold: for (ii), D £ bottomBlock(i?) implies C < B < D, and 
therefore C <J D, which is in contradiction with C D. Thus, assume that C ^ B. 
Since £?-> 3 C, by Lemma I5T1 we have that Bottomry (£>)) C /xy(C) U pre(/iy((7)). 
Hence, Bottomry ( J B))nB C (/zy(<7)nB)U(pre(/xy((7))n.B) = pre(/zy(C))nB C 
pre(//j>(C)), because C B implies _Bl~l^y (C) = 0. Moreover, ifC^D, then, again 
bv LemmaEm Bottomry (B))nD C pre(/i(C))nD. If £> G bottomBlock( J B) then 
Bottomry (£)) nfl^0 and therefore pre(/i(C)) flD/0, i.e., L>^ 3 ^y(C). 

( < j=) We prove that if (i) and (ii) do not hold then (B, C) g Refiner(?). By Lemmal5Tl 
let us show that Bottomry (B)) C ^y(C) U pre(/xy(C)). If C < 5 then this is 
trivially true. Thus, let us assume that C j3 B. 

Bottomry (B)) = 

[as iur{B) = U{D 6 P \ B < D}] 

U{D n Bottomry (5)) | B < D} = 
[by set theory] 

(B n Bottomry (B)))U 
U{D n Bottomry (B)) \ B < D, C ^ £>}U 
U{D n Bottomry (5)) | 5 < D, C < D} = 
[by definition of bottomBlock] 

(BnBottom(^y(B)))U 
U{D n Bottomry (B)) | D 6 bottomBlock(B), C* ^ £>}U 

U{£» n Bottomry (-B)) | B < £», C* < D} C 
[by conditions (i) and (ii)] 

pre(/iy(C))U 

U{L> n Bottomry (£)) | L> e bottomBlock(B), C jd D, D^ 3 /iy(C)}U 

U{£» n Bottomry (5)) | S < £>, C < £>} C 
[because C < £> => DC^jj (C)] 

pre(Aiy(C))U 

U{L> n Bottomry (B)) | D e bottomBlock(S), C jd D, L>^ 3 ^y(C*)}U 

M y(<7). 
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Consider now D e bottomBlock(J'), C ^ D and D^lj, v (C). Then, 

PH Bottomry (P)) = 
D n fJLy{B) ("1 ^pre(^y(P)) = [as DC fly (B)] 

D n ^prc( J uy(_B)) C [asD C fiy(D) C ^(B)] 
Aty(-D) n -pre( Alg >(L>)) = 
Bottomry (£>)). 

Since D^ 3 /iy(C), there exists C < P such that P^ 3 P. Since (P, C) < (D, E) and 
P^ 3 P, by hypothesis, (D,E) $ Refiner(J'), so that, by Lemma IBTTl we have that 
Bottomry (P)) C fiy(E) U pre(/iy(S)) C /iy(C) U pre(/xg>(C)). Thus, summing 
up, it turns out that Bottom(/^y(P)) C /iy(C) U pre(/Lty(C)), so that, by Lemma 15711 
(B,C) ^Refiner(T). □ 

Proof of Theorem 16.71 Time Complexity. The time complexities of the various func- 
tions that are called by SSA are as follows. 

- Initialized) takes 0(|P||->|) time. 

- FindRefinerQ takes 0(|P| 2 + |->| + |P||^ 3 |) time. This bound is computed as 
follows. Line 4 takes 0(|P| 2 ) time. Lines 5-6 take 0(H + P| 2 ) time. Note that 
lines 5-6 are actually implemented as follows: 

forall C ePdo 

forall y G C do forall x e pre(y) do mark(a;. block); 
forall B 6 P such that marked(B) do 
/ / main body of FindRefinerQ 

end 

forall B e Pdo unmark(B); 

end 

Lines 11-12 and 13-14 take 0(|P||^ 3 |) time. The estimate of the overall cost of 
lines 7-10 deserves special care. At line 10, it turns out that Count(s, C) > 
s^ 3 C: if Count(s, C) > at line 10 then s^ 3 U {E G P | E < C}. However, as 
a consequence of the code at lines 13-14, it turns out that when we are at line 10, 
namely when Refiner(P, C) = maybe, it is true that {E <G P \ E < C} — {C} 
so that s^ 3 C. Hence, the overall cost of lines 7-10 is 2~ZceP Sse_p \{( x > V) I x £ 
B,y eC,x->y}\ < |-|. 

- Image((P, Rel),B) takes 0(|i^|) time. 

- pos(5,T) takes 0(\S\ + |->|) time. 

- SplittingProcedure{{P, Rel) , S) takes 0(\P\\S\) time. In particular, Split(P,S) 
takes 0(\S\) time. 

- Refine((P,Rel),S) takes 0(|5| + |{BeF|BC 5}|(|P| + H)) time. 

Let us prove that the overall number of newly generated blocks by SplittingProcedurei) 
at line 6 of SSA is 2(|P sts i m — \Pe\)- Let {-Pi}ie[o,n] t> e the sequence of partitions 
computed by SSA where Pq is the initial partition Pg, P n is the final partition P s tsim 
and for all i e [0, n — 1], Pi+i d: Pi- The number of newly generated blocks by one 
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splitting operation that refines Pi to Pj+i is given by 2(|P i+ i — |Pj|). Thus, the overall 

number of newly generated blocks is S"=o 2(1-^+1 _ \ p i\) = 2 (|P s tsim - \P(\)- 
It turns out that the overall number of iterations of the main while-loop of SSA is 
in 0(|P s tsim| 2 )- If at some iteration of SSA it happens that line 7 of Refine() sets 
Rel(B, C) := ff for some blocks B and C then for all the successive iterations of SSA, 
for any block D which is contained in B (namely, which is a descendant of B) and for 
any block E which is contained in C, and for all the successive iteratuons we will have 
that Rel(D, E) = ff. Moreover, at any iteration of SSA, there exist at least two blocks 
B,C G P such that the assignment Rel(B, C) := ff at line 7 of RefineQ is executed. 
Since for any block B, the assignment Rel(B' , C) := ff for some B' C B and for some 
C may happen at most P s tsim | times, we obtain that the overall number of iterations is 
inO(|P stsim | 2 ). 

Hence, the overall time complexities of the functions called within the main while-loop 
of SSA are as follows: 

- FindRefiner(): 0(|Pst si ,„| 2 (|P s t s im| 2 + H + |P s tsim|h 3 |)); 

- Image((P, Rel),B): 0(|P stsim | 2 |i7|); 

-pos(S,T):0(|P stsim | 2 (|i;| + H)); 

- SplittingProcedure((P, Rel),S): 0(|P stsim | 3 |£|). 

The analysis of the overall time complexity of Refine((P, Rel), S) needs the follow- 
ing observation. As observed above, if at some iteration of SSA it happens that line 7 
of Refine() sets Rel(B, C) := ff for some blocks B and C then for all the succes- 
sive iterations of SSA, for any block D which is contained in B and for any block E 
which is contained in C, we will have that Rel(D, E) = ff. Thus, for a given block 
B, if the test Rel(C, B) = tt at line 6 of Refine() is true then for any block C which 
is descendant of C, the test Rel(C',B) = tt will be false. This means that for any 
given block B, the body at lines 7-16 of the if-then statement at line 6 will be exe- 
cuted at most |P s tsim| times. Therefore, the overall time complexity in SSA of lines 3 
and 1 7 of Refine ( (P, Rel) , S) is 0( \ P stsim | ( 1 + | - 1 + | P stsim | + | - 1 ) ) = O ( | P stsim | 2 + 

| -^stsim 

||->|). Since the overall cost of lines 2-7 and 18 is 0(|P sts im | 2 (|^| + |P s tsim| 2 )), 
it turns out that the overall cost of Refine({P, Rel), S) is 0(|P s tsim|(M + |Pstsim||£l + 

iPtsiml 3 )). 

Summing up, the overall time complexity of SSA is 

0{ | Pstsim | 2 (|i7| + h| + |P stsim | 2 + |P stsim |h 3 |)). 

If -> is total then \S\ < |-> and |P s tsim| < |-> 3 | so that the time complexity of SSA 
simplifies to 0(|P stsi m| 2 (H + |P stS im|h 3 |)). 

Space Complexity. The space complexity of SSA is in Od-S'UPstsiml log because: 

- The pointers from any state s 6 S to the block P(s) of the current partition are 
stored in 0(\S\ log |P sts im|) space. 

- The lists localBottoms and bottomB locks globally take, respectively, 0(|P sts i m | |^|) 
and 0( | Pstsim | 2 ) space. 

- The current partition P is stored in 0(|P s tsim|) space. 

- The current relation Rel is stored in 0(|P s tsim| 2 ) space. 
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Initialize^ { 

CollapseSSC(E,^,P); 
Topologicals ort (£ , ->, P); 
Topologicals ort(P, Rel); 
/ 1 initialize Count 
forall y G E do 

forall x G pre(y) do 
forall C G P do 
|_ if (7?e/(2/.block, C) = tt) then Count(:r, C)++; 

/ / initialize BCount 
forall CePdo 
|_ forall lETdo BCount(a;.block, C) += Count(>, C); 

/ / initialize localBottoms and bottomBlocks 
forall B G P do 

if (3a; G B. Count(:r, B) — 0) then B. localBottoms. append(a;); 
forall C G P such that C / B do 

if (flei(C, B) = tt & 3a; G C. Count(:r, B) = 0) then 
|_ B.bottomBlocks.append(C); 

} 

list(State) Image(PR {P,Rel}, Block B) { 
list(State) R := 0; 

forall C G P such that (Pd(C, B) = tt) do 

|_ forall x G C do P.append(x); 
return R\ 

} 

Fig. 7. Initialize () and ImageQ Functions. 



- The resizable tables Count and BCount take, respectively, 0(|i7||P s tsim| log 
and 0(|P sts im| 2 log \S\) space. 

- The local table Refiner in function FindRefinerQ takes 0(|P s tsim| 2 )- □ 
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UpdateQ { 
resize Count, BCount; 
forall B G split do 
forall x G E do 

|_ Count(x, B. intersection) := Count(a;, B); 
B.localBottoms := B.localBottoms n B; 
B.intersection.localBottoms := 

B.localBottoms n ^-intersection; 

forall CePdo 

intfc := BCount(B,C); 
BCount(B, C) := 0; 
forall x € B do 

|_ BCount(B, C) += County, C); 

|_ BCount(B. split, C) := k - BCount(S, C); 
forall B G P do 

forall C G B.bottomBlocks such that C.intersection / null do 
if (Va; G C. Count(:r, B) > 0) then 
B .bottomB locks . remove ( C ) ; 
B.bottomBlocks.append(C.intersection); 

else 

if (3a- G C.intersection. Count(:r, B) — 0) then 
|_ B .bottomB locks .append (C.intersection) ; 

} 

Fig. 8. Update() Function. 
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